Insights · 2026-06-01

Is Claude GDPR-Compliant? Rolling Out Anthropic in the EU, Germany and Switzerland

Is Claude GDPR-compliant? It mostly comes down to one choice. A practical guide to rolling out Anthropic's Claude under EU, German and Swiss data protection law.

By James F. Murray

Every leader asks the same question before they let Claude near real client data: “Will this put us offside with GDPR?” It’s the right question.

GDPR compliance is not a single switch you flip inside Claude. It’s a short stack of decisions you make before rollout. Get those right and Claude sits comfortably inside European data law.

This guide walks through that stack. Then it shows where the EU, Germany and Switzerland diverge, because they do.

A note on scope. This is practical guidance, not legal advice. Confirm the specifics with your data protection officer or counsel. We help you ask the right questions and design the rollout — we don’t replace your lawyer.

The one decision that settles most of it: which Claude you use

This is where most confusion starts. Anthropic runs two very different worlds.

Consumer plans — Claude Free, Pro and Max. Since September 2025, these train on your conversations by default, unless a user turns it off in settings. Fine for personal use. Wrong for client data.

Commercial products — Claude for Work (Team and Enterprise) and the Anthropic API. Anthropic does not train its models on your data by default here. This is the path for any serious business rollout.

So the “setting” your team may have heard about is really a tier choice. Put your people on a commercial plan and the default flips in your favour. Leave them on a personal Pro login and you inherit the consumer terms. Most compliance incidents we see are simply the wrong door.

Once you’re on a commercial tier, four things complete the picture.

1. A signed Data Processing Addendum (DPA). Under GDPR, you are the data controller and Anthropic is your processor. Anthropic’s DPA is built into its Commercial Terms and includes the Standard Contractual Clauses, with specific modules for the EU, the UK and Switzerland. This is the contract that makes the relationship lawful.

2. A retention choice. By default, Anthropic deletes API inputs and outputs within 30 days. For stricter needs, a Zero Data Retention agreement removes that storage entirely — nothing kept at rest after the response. Worth requesting where data is sensitive.

3. Your own paperwork. A data protection impact assessment for higher-risk uses. An updated record of processing. Internal rules on what staff may and may not paste in. This part is yours, not the vendor’s.

4. Honest transparency. Tell people when AI touches their data. Keep a human in the loop on decisions that affect them.

This is the same discipline you already apply to any cloud processor — applied deliberately to Claude.

Where your data lives: the residency question

Here’s a nuance that catches teams out. Anthropic’s published certifications cover ISO 27001, ISO/IEC 42001, SOC 2 (Type I and II) and HIPAA-readiness. They do not include the EU–US Data Privacy Framework. So cross-border transfers rest on the Standard Contractual Clauses in the DPA, not on a framework self-certification.

And the direct Anthropic API processes in “US” or “global” regions, there is no EU-only option on it today. If your policy says data must stay in the EU, route Claude through AWS Bedrock or Google Cloud Vertex AI in their European regions instead. Same model, European processing boundary.

This is exactly the kind of plumbing our compliant AI routing layer is built to handle — sending each request to the right place, with an audit trail behind it.

Three markets, three sets of rules

The transfer mechanics are broadly shared. The local expectations are not.

European Union — the baseline

GDPR sets the floor: a lawful basis, the DPA and SCCs, a DPIA for risky processing, and transparency on automated decisions. Clear it and you’ve cleared most of Europe.

Germany — the strictest room you’ll walk into

Germany layers the BDSG and the Works Constitution Act on top of GDPR. Two practical consequences follow.

First, the works council (Betriebsrat) can block any tool that monitors how employees work — and an AI assistant can fall in scope. Bring them in early. In Germany, an AI rollout is a co-determination conversation, not just an IT one.

Second, the German data protection authorities (the DSK) issued concrete guidance on AI in 2024. Their advice for workplace LLMs is specific: disable dialogue-history storage, opt out of training, keep a human on the final decision, check outputs for accuracy and bias, and never paste personal data where the provider would process it for its own ends. A commercial Claude tier, configured well, meets this — but the configuration must be deliberate.

Switzerland’s revised Federal Act on Data Protection (revFADP) has applied since 1 September 2023, overseen by the FDPIC. It tracks GDPR closely: DPIAs, transparency on automated decisions, and strong security expectations.

Two Swiss specifics matter. Transfers to the US are clean only for recipients certified under the Swiss–US Data Privacy Framework (the US joined Switzerland’s adequacy list on 14 August 2024); for everyone else — Anthropic included — SCCs remain the safeguard, which the DPA’s Swiss module provides. And enforcement has an unusual edge: the FADP can fine responsible individuals up to CHF 250,000, not only the company. For banks and insurers, FINMA outsourcing rules and banking secrecy raise the bar again.

A Swiss-sovereign alternative worth watching: Infomaniak

For Swiss organisations where data sovereignty is the hard line, there’s a homegrown option. Infomaniak, the Geneva cloud provider, now offers AI built on open-source models, processed and stored entirely in Switzerland, with no transfer abroad and no training on your data. It’s GDPR- and FADP-compliant, and the data centre even heats Geneva homes with its waste energy. For a Swiss SME that simply cannot send data across a border, that’s a genuinely interesting answer.

There’s a trade-off, and it’s an honest one. Infomaniak runs open-weight models, not Claude. So the agentic developer tooling many teams now rely on, Claude Code being the obvious example, doesn’t map cleanly onto it yet. The capability is sovereign; the harness around it is far less mature. We’ll cover that sovereignty-versus-capability trade-off in a follow-up piece.

How Headswap approaches a compliant rollout

We start by listening, not installing. A short discovery tells us which data your teams actually want Claude to touch, and how sensitive it is. From there the path is pragmatic:

Put everyone on the right commercial tier — no personal logins for client work.
Sign the DPA; switch on Zero Data Retention where the data warrants it.
Route EU- or Swiss-bound data through the right region, with logging.
Hand your DPO a clean DPIA and a clear staff-use policy to sign off.
In Germany, bring the works council in on day one.

Pragmatic solutions that deliver real value — and, just as importantly, that your compliance team can defend.

Frequently asked questions

Is Claude GDPR-compliant?

Claude can be used in a GDPR-compliant way on a commercial tier (Claude for Work or the API) with a signed DPA. The consumer plans are a different matter — they train on data by default unless changed.

Does Anthropic train on my data?

Not on commercial products (Work, Enterprise, API) by default. Consumer Free, Pro and Max plans do, since September 2025, unless the user opts out.

Can I keep Claude data inside the EU or Switzerland?

The direct API processes in US or global regions only. For an EU processing boundary, run Claude through AWS Bedrock or Google Vertex AI in European regions. For full Swiss residency, a sovereign provider such as Infomaniak is the stronger fit.

Do I need a DPA with Anthropic?

Yes. It’s incorporated into Anthropic’s Commercial Terms and includes EU, UK and Swiss Standard Contractual Clauses.

Is Claude FADP-compliant for Switzerland?

It can be, on the same basis as GDPR — a commercial tier, the DPA with the Swiss SCC module, and a DPIA where needed. Financial firms should also weigh FINMA and banking-secrecy duties.

Does our works council need to approve Claude in Germany?

Very likely. German works councils hold co-determination rights over tools that can monitor staff. Involve them before rollout, not after.

Bring your workflow

What would need to be true for your team to trust Claude with real client data? That’s the question worth answering before the first prompt. If you’d like, we’ll map your data, your market and your obligations into a rollout plan your DPO can sign — start with our AI use-case intake.